1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
|
Network Working Group E. Burger
Request for Comments: 3459 SnowShore Networks
Updates: 3204 January 2003
Category: Standards Track
Critical Content Multi-purpose Internet Mail
Extensions (MIME) Parameter
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document describes the use of a mechanism for identifying body
parts that a sender deems critical in a multi-part Internet mail
message. The mechanism described is a parameter to Content-
Disposition, as described by RFC 3204.
By knowing what parts of a message the sender deems critical, a
content gateway can intelligently handle multi-part messages when
providing gateway services to systems of lesser capability. Critical
content can help a content gateway to decide what parts to forward.
It can indicate how hard a gateway should try to deliver a body part.
It can help the gateway to pick body parts that are safe to silently
delete when a system of lesser capability receives a message. In
addition, critical content can help the gateway chose the
notification strategy for the receiving system. Likewise, if the
sender expects the destination to do some processing on a body part,
critical content allows the sender to mark body parts that the
receiver must process.
Burger Standards Track [Page 1]
^L
RFC 3459 Critical Content of Internet Mail January 2003
Table of Contents
1. Conventions used in this document..............................3
2. Introduction...................................................3
3. Handling Parameter.............................................4
3.1. REQUIRED..................................................4
3.2. OPTIONAL..................................................5
3.3. Default Values............................................5
3.4. Other Values..............................................5
4. Collected Syntax...............................................6
5. Notification...................................................6
5.1. DSN vs. MDN Generation....................................7
5.2. Summary...................................................7
6. Signed Content.................................................8
7. Encrypted Content..............................................9
8. Status Code...................................................10
9. Requirements for Critical Content.............................11
9.1. Needs....................................................11
9.2. Current Approaches.......................................12
10. The Content Gateway...........................................13
10.1. Integrated Content Gateway..............................14
10.2. Disaggregated Delivery Network..........................14
11. Backward Compatibility Considerations.........................15
12. MIME Interactions.............................................15
12.1. multipart/alternative...................................15
12.2. multipart/related.......................................15
12.3. message/rfc822..........................................15
12.4. multipart/signed........................................16
12.5. multipart/encrypted.....................................16
13. Implementation Examples.......................................16
13.1. Content Gateways........................................16
13.2. Disaggregated Content Gateway...........................17
14. OPES Considerations...........................................18
14.1. Consideration (2.1): One-Party Consent..................18
14.2. Consideration (2.2): IP-layer Communications............18
14.3. Consideration (3.1): Notification - Sender..............18
14.4. Consideration (3.2): Notification - Receiver............18
14.5. Consideration (3.3): Non-Blocking.......................18
14.6. Consideration (4.1): URI Resolution.....................18
14.7. Consideration (4.2): Reference Validity.................19
14.8. Consideration (4.3): Architecture Extensions............19
14.9. Consideration (5.1): Privacy............................19
15. Security Considerations.......................................19
16. IANA Considerations...........................................19
17. References....................................................20
17.1 Normative References.....................................20
17.2 Informative Reference....................................21
18. Acknowledgments...............................................22
Burger Standards Track [Page 2]
^L
RFC 3459 Critical Content of Internet Mail January 2003
19. Intellectual Property Notice..................................23
20. Author's Address..............................................23
21. Full Copyright Statement......................................24
1. Conventions used in this document
This document refers generically to the sender of a message in the
masculine (he/him/his) and the recipient of the message in the
feminine (she/her/hers). This convention is purely for convenience
and makes no assumption about the gender of a message sender or
recipient.
The key words "MUST", "MUST NOT", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in BCP 14, RFC 2119 [2].
The word "REQUIRED" in this document does not follow the definition
found in RFC 2119. This is because this document defines a parameter
named "REQUIRED". There is no requirement in this document that is
"REQUIRED", so there is no confusion.
In this document, the "sending agent" is the originator of the
message. It could be a mail user agent (MUA) for an Internet
message, or a SIP User Agent Client (UAC) for a SIP [3] message. The
"endpoint" is the receiving device, of lesser capability than the
sending agent.
NOTE: Notes, such as this one, provide additional nonessential
information that the reader may skip without missing anything
essential. The primary purpose of these non-essential notes is to
convey information about the rationale of this document, or to place
this document in the proper historical or evolutionary context.
Readers whose sole purpose is to construct a conformant
implementation may skip such information. However, it may be of use
to those who wish to understand why we made certain design choices.
2. Introduction
The specification of Critical Content is small and compact. For the
benefit of developers, the specification comes first, the rationale
after.
One concept that an implementer must understand is the content
gateway. Section 10 describes the content gateway. In brief, a
content gateway has knowledge of the receiving system's capabilities.
The content gateway passes messages the receiving system can process,
render or store. The content gateway can modify a message, for
example by deleting unrenderable or storable body parts, for delivery
Burger Standards Track [Page 3]
^L
RFC 3459 Critical Content of Internet Mail January 2003
to the receiving system. Finally, the content gateway can reject a
message that the receiving system cannot handle.
Although Critical Content processing is not an OPES service, the
protocol machinery described in this document meets all of the OPES
IAB requirements as stated by RFC 3238 [4]. Section 14 describes
this in detail. In particular, unlike the current situation where
content gateways silently modified messages, or had abstract rules
for modifying them (see the content transformation rules in VPIM, for
example), the Critical Content mechanism allows for the sending user
to explicitly indicate desired content handling by content gateways
NOTE: This document updates RFC 3204 [5] to separate the Handling
parameter from the ISUP/QSIG transport mechanism. The protocol
described here is identical in functionality to RFC 3204 with respect
to SIP. Future versions of RFC 3204 should reference this document
for the Handling parameter, as it is orthogonal to the tunneling of
signaling.
3. Handling Parameter
The Handling parameter is a Content-Disposition [6] parameter
inserted by the sending agent to indicate to the content gateway
whether to consider the marked body part critical.
A REQUIRED body part is one the sender requires the receiving system
to deliver for him to consider the message delivered.
An OPTIONAL body part is one the sender doesn't care whether the
receiving system delivers it or not. A content gateway can silently
delete such body parts if the receiving system cannot deliver the
part.
The terms "entity" and "body part" have the meanings defined in [6].
3.1. REQUIRED
"Handling=REQUIRED" signifies that this body part is critical to the
sender.
If the content gateway cannot pass a body part marked REQUIRED, then
the entire message has failed. In this case, the content gateway
MUST take the appropriate failure action.
NOTE: We say "appropriate action", because the sender may have
suppressed all notifications. In this case, the appropriate action
is to silently discard the message. In addition, as a general MIME
parameter, the MIME body part may not be in an Internet Mail message.
Burger Standards Track [Page 4]
^L
RFC 3459 Critical Content of Internet Mail January 2003
Moreover, in the SIP case, the appropriate notification is a status
return code, not a delivery notification.
3.2. OPTIONAL
"Handling=OPTIONAL" signifies that the sender does not care about
notification reports for this body part.
If the content gateway cannot pass a body part marked OPTIONAL, the
receiving system may silently delete the body part. The receiving
system MUST NOT return a delivery failure, unless parts marked
REQUIRED have also failed.
3.3. Default Values
The default value for Handling for a given body part is REQUIRED.
This enables the existing notification mechanisms to work for sending
agents that do not know about the content notification entity. All
body parts are critical, because they have the default marking of
REQUIRED.
NOTE: In the case of Internet mail, critical content processing is a
function of the content gateway and not the mail transfer agent (MTA)
or user agent (UA). Often, the entity performing content gateway
processing is the receiving UA. However, in this case the UA is
acting as a content gateway. Thus the default action for any
Content-Disposition [6]-compliant user agent to ignore unrecognized
disposition parameters ensures that this mechanism is compatible with
the Internet architecture.
NOTE: This parameter is fully backwards compatible and works as
expected for Internet mail and SIP.
NOTE: Some VPIMv2 implementations can receive arbitrary e-mail from
the Internet. However, these systems are really acting in the
capacity of an Internet Voice Mail system. In this case, one would
expect the implementation to provide Internet Voice Mail semantics to
Internet Voice Mail messages.
3.4. Other Values
The content gateway MUST treat unrecognized values as REQUIRED. This
is to provide backward compatibility with future uses of the
Content-Criticality entity.
NOTE: A possible new value is IMPORTANT. An IMPORTANT body part is
something the sender wants the receiver to get, but would not want
the message rejected outright if the IMPORTANT body part fails, but
Burger Standards Track [Page 5]
^L
RFC 3459 Critical Content of Internet Mail January 2003
they do want notification of the failure. However, as no
implementations do IMPORTANT, it is not important to this version of
this document.
4. Collected Syntax
The format of the collected syntax is in accordance with the ABNF of
[7]. Note that per RFC 2183 [6], the HANDLING Content-Disposition
parameter is not case sensitive. In addition, the notification-type
is not case sensitive.
"handling" "=" notification-type CRLF
notification-type = "REQUIRED" / "OPTIONAL" /
other-handling / generic-param
other-handling = token
5. Notification
One obvious application of critical content is generating a (non-)
delivery notification in the Internet mail environment. If the value
of the field is OPTIONAL, the content gateway MUST NOT generate a
notification. If the value of the field is REQUIRED, the content
gateway MAY generate a notification, based on the normal notification
request mechanisms. Normal notification request mechanisms include
specifying the NOTIFY parameter to the SMTP RCPT command [8] and the
Disposition-Notification-To header [9].
In SIP, all requests have responses. These responses provide
notification in the status code of the response. For the RFC 3204
case, a content gateway generates a 415 (Unsupported Media Type)
response if the field is REQUIRED.
If the sending system requests a notification, and a REQUIRED part
fails, the content gateway MUST generate a notification for the whole
message. Conversely, if the gateway cannot pass on a body part
marked OPTIONAL, the gateway MUST NOT generate a notification.
NOTE: This implies that the content gateway must examine the entire
message to determine whether it needs to generate a notification.
However, the content gateway need not examine the message if it knows
it can store and forward all media types. Said differently, Internet
e-mail MTAs or gateways can, by default, handle any arbitrary MIME-
encapsulated type. Some voice mail systems, on the other hand,
cannot store binary attachments at all, such as application/ms-word.
The voice mail content gateway, in this example, would be scanning
for non-renderable body parts in any event.
Burger Standards Track [Page 6]
^L
RFC 3459 Critical Content of Internet Mail January 2003
5.1. DSN vs. MDN Generation
The content gateway generates a delivery status notification (DSN)
[9] if it operates as a gateway. The content gateway generates a
Message Disposition Notification (MDN) [10] if it operates as a mail
user agent. Section 6 describes the operating modes of a content
gateway. In short, if there is a MTA that "delivers" the message to
the content gateway for processing, the MTA takes responsibility for
DSN processing. In this case, the only option available to the
content gateway is to generate MDNs. If the content gateway operates
as a MTA, then it generates DSNs. DSN generation is the preferred
option.
If the content gateway is part of a SIP endpoint, then it generates
the appropriate success or error response code.
5.2. Summary
The following table summarizes the actions expected of a conforming
content gateway.
NOTE: This section is normative: it suggests what a content gateway
should put into the DSN or MDN.
NOTE: In the case of SIP, this section is informative. See RFC 3204
for the normative set of actions on failure.
Table 1 - Expected Actions
+--------------------------------------+
| Sending UA Has Marked Body Part |
|---------------------+----------------|
| REQUIRED | OPTIONAL |
+--------------------+---------------------+----------------+
| Body Part is | | |
| Deliverable | Appropriate Action | ignore |
+--------------------+---------------------+----------------+
| Body Part is | | |
| Undeliverable | Fail Entire Message | ignore |
+--------------------+--------------------------------------+
The "Appropriate Action" is the action the content gateway would take
given the context of execution. For example, if a sender requests
return receipt and the receiver reads a HANDLING body part, the
receiving UA must generate the appropriate MDN (following the rules
for MDN). Likewise, if the content gateway cannot deliver the body
part and the body part is critical, the content gateway generates the
appropriate DSN or MDN.
Burger Standards Track [Page 7]
^L
RFC 3459 Critical Content of Internet Mail January 2003
"Optional" means the content gateway ignores the disposition of the
body part. The content gateway treats the message as if the body
part was not present in the message.
6. Signed Content
RFC 1847 [11] describes how to apply digital signatures to a MIME
body part. In brief, a multipart/signed body part encapsulates the
body part of interest, or the "content object", in a MIME body part
and the control information needed to verify the object, or the
"protocol" in the lexicon of RFC 1847, in a second MIME body part.
Here is an example taken from RFC 1847.
Content-Type: multipart/signed; protocol="TYPE/STYPE";
micalg="MICALG"; boundary="Signed Boundary"
--Signed Boundary
Content-Type: text/plain; charset="us-ascii"
This is some text to be signed although it could be
any type of data, labeled accordingly, of course.
--Signed Boundary
Content-Type: TYPE/STYPE
CONTROL INFORMATION for protocol "TYPE/STYPE" would be here
--Signed Boundary--
Figure 1 - Signed Content MIME Type
There are three places where one may place the criticality indicator
for a multipart/signed body part. One could mark the
multipart/signed object, the content object, the control object, or
any combination of the three.
The disposition of REQUIRED body parts follow the guidelines found in
RFC 2480 [12].
A critical content indicator on a multipart/signed body part means
the sending party requires true end-to-end signature verification.
Thus the gateway needs to pass the enclosure intact. If the system
or network of lesser capability cannot do signature verification and
the signed enclosure is REQUIRED, the gateway MUST reject the
message.
Burger Standards Track [Page 8]
^L
RFC 3459 Critical Content of Internet Mail January 2003
A critical content indicator on a signature means that either the
receiving endpoint must be able to do signature verification, or the
gateway needs to verify the signature before forwarding the message.
If the content does not pass verification, the gateway MUST reject
the message.
A critical content indicator on the enclosed material specifies
whether that material is critical to the message as a whole. If the
signature is marked OPTIONAL and the enclosed material is marked
REQUIRED, the gateway MAY strip out the signature information if the
system or network of lesser capability cannot do signature
verification. However, if possible, we STRONGLY RECOMMEND the
gateway do signature verification and indicate tampering to the
recipient.
7. Encrypted Content
RFC 1847 [11] describes how to encrypt a MIME body part. In brief, a
multipart/encrypted body part encapsulates the control information
("protocol" in the lexicon of RFC 1847) for the encrypted object and
the second containing the encrypted data (application/octet-stream).
Here is an example taken from RFC 1847.
Content-Type: multipart/encrypted; protocol="TYPE/STYPE";
boundary="Encrypted Boundary"
--Encrypted Boundary
Content-Type: TYPE/STYPE
CONTROL INFORMATION for protocol "TYPE/STYPE" would be here
--Encrypted Boundary
Content-Type: application/octet-stream
Content-Type: text/plain; charset="us-ascii"
All of this indented text, including the indented headers,
would be unreadable since it would have been encrypted by
the protocol "TYPE/STYPE". Also, this encrypted data could
be any type of data, labeled accordingly, of course.
--Encrypted Boundary--
One may sensibly place a criticality indicator on the encrypted
enclosure (multipart/encrypted) body part. If the endpoint can
decrypt the message, then the gateway passes the body part in its
entirety.
Burger Standards Track [Page 9]
^L
RFC 3459 Critical Content of Internet Mail January 2003
If one marks the control object REQUIRED, then the sending UA
requires end-to-end encryption. If the endpoint cannot decrypt the
message, then the gateway MUST reject the message.
If the control object is OPTIONAL, and the endpoint cannot decrypt
the message, and the gateway can decrypt the message, then the
gateway MAY decrypt the message and forward the cleartext message.
The sending user has explicitly given permission for the gateway to
decrypt the message by marking the control object OPTIONAL. Recall
that the default indication for MIME body parts is REQUIRED. Thus if
the user takes no explicit action, the content gateway will assume
the user wished end-to-end encryption.
Marking the encrypted content, without marking the encrypted
enclosure, is problematic. This is because the gateway has to
decrypt the encrypted data to retrieve the header. However, it is
unlikely for the gateway to have the capability (e.g., keys) to
decrypt the encrypted data. If a sending UA wishes to mark encrypted
data as not REQUIRED, the sending UA MUST mark the encrypted content
as not REQUIRED. Clearly, if the sending UA marks the encrypted
content as REQUIRED, the gateway will apply the REQUIRED processing
rules. Moreover, if the sending UA does not mark the encrypted
content as REQUIRED, the gateway, unless it can decrypt the data,
will treat the encrypted content as REQUIRED. This occurs because
gateways always treat unmarked content as REQUIRED (see Section 3.3).
8. Status Code
The critical content indication, in itself, does not guarantee any
notification. Notification follows the rules described in [3], [8],
and [9].
NOTE: The content of actual DSNs or MDNs are beyond the scope of this
document. This document only specifies how to mark a critical body
part. On the other hand, we do envision sensible DSN and MDN
contents. For example, DSNs should include the appropriate failure
code as enumerated in [13]. Likewise, MDNs should include the
failure code in the MDN "Failure:" field.
If the receiving system is to generate a notification based on its
inability to render or store the media type, the notification should
use the status code 5.6.1, "Media not supported", from [10].
For the SIP case, all requests have notification provided by the
status response message. Per RFC 3204, a content gateway generates a
415 (Unsupported Media Type) response.
Burger Standards Track [Page 10]
^L
RFC 3459 Critical Content of Internet Mail January 2003
9. Requirements for Critical Content
This section is informative.
9.1. Needs
The need for a critical content identification mechanism comes about
because of the internetworking of Internet mail systems with
messaging systems that do not fulfill all of the semantics of
Internet mail. Such legacy systems have a limited ability to render
or store all parts of a given message. This document will use the
case of an Internet mail system exchanging electronic messages with a
legacy voice messaging system for illustrative purposes.
Electronic mail has historically been text-centric. Extensions such
as MIME [14] enable the user agents to send and receive multi-part,
multimedia messages. Popular multimedia data types include binary
word processing documents, binary business presentation graphics,
voice, and video.
Voice mail has historically been audio-centric. Many voice-messaging
systems only render voice. Extensions such as fax enable the voice
mail system to send and receive fax images as well as create multi-
part voice and fax messages. A few voice mail systems can render
text using text-to-speech or text-to-fax technology. Although
theoretically possible, none can today render video.
An important aspect of the interchange between voice messaging
services and desktop e-mail client applications is that the rendering
capability of the voice-messaging platform is often much less than
the rendering capability of a desktop e-mail client. In the e-mail
case, the sender has the expectation that the recipient receives all
components of a multimedia message. This is so even if the recipient
cannot render all body parts. In most cases, the recipient can
either find the appropriate rendering tool or tell the sender that
she cannot read the particular attachment.
This is an important issue. By definition, a MIME-enabled user
agent, conforming to [15], will present or make available all of the
body parts to the recipient. However, a voice mail system may not be
capable of storing non-voice objects. Moreover, the voice mail
system may not be capable of notifying the recipient that there were
undeliverable message parts.
The inability of the receiving system to render a body part is
usually a permanent failure. Retransmission of the message will not
improve the likelihood of a future successful delivery. Contrast this
with the case with normal data delivery. Traditional message
Burger Standards Track [Page 11]
^L
RFC 3459 Critical Content of Internet Mail January 2003
failures, such as a garbled message or disabled link will benefit
from retransmission.
This situation is fundamentally different from normal Internet mail.
In the Internet mail case, either the system delivered the message,
or it didn't. There is no concept of a system partially delivering a
message.
In addition, there are many situations where the sender would not
mind if the system did not deliver non-critical parts of a message.
For example, the sender's user agent may add body parts to a message
unbeknownst to the sender. If the receiving system rejected the
message because it could not render a hidden body part, the sender
would be understandably confused and upset.
Thus, there is a need for a method of indicating to a Mail Transfer
Agent (MTA) or User Agent (UA) that the sender considers parts of a
message to be critical. From the sender's perspective, he would not
consider the message delivered if the system did not deliver the
critical parts.
9.2. Current Approaches
One method of indicating critical content of a message is to define a
profile. The profile defines rules for silently deleting mail body
parts based on knowledge of the UA capabilities. Citing the example
above, a voice profile can easily declare that MTAs or UAs can
silently delete TNEF data and yet consider the message successfully
delivered. This is, in fact, the approach taken by VPIMv2 [16].
Since one aspect of the issue is deciding when to notify the sender
that the system cannot deliver part of a message, one could use a
partial non-delivery notification mechanism to indicate a problem
with delivering a given body part. However, this requires the user
request a delivery notification. In addition, the sender may not be
aware of parts added by the sending user agent. In this case, a
failure notice would mystify the sender.
A straightforward alternative implementation method for marking a
body part critical is to use a Critical-Content MIME entity. This
has the benefit that criticality is meta information for the body
part. However, IMAP servers in particular would need to either put
Critical-Content into the BODYSTRUCTURE method or create a new method
to retrieve arbitrary MIME entities. Given the experience of trying
to get Content-Location accepted by IMAP vendors, we chose not to go
that route.
Burger Standards Track [Page 12]
^L
RFC 3459 Critical Content of Internet Mail January 2003
What we need is a way of letting the sender indicate what body parts
he considers to be critical. The mechanism must not burden the
sender with failure notifications for non-critical body parts. The
mechanism must conform to the general notification status request
mechanism for positive or negative notification. When requested, the
mechanism must indicate to the sender when a receiving system cannot
deliver a critical body part.
10. The Content Gateway
This section is informative.
In this section, we use the definition found in RFC 2156 [17] for the
term "gateway."
We do not strictly use the definition found in RFC 2821 [18] for the
term "gateway." In particular, RFC 2821 is discussing a gateway that
should not examine the message itself. An RFC 2821 gateway is a
transport gateway, that mostly deals with transformations of the SMTP
information.
A content gateway is a gateway that connects a first network to a
second network. The second network often has lesser capability than
the first network. The canonical topology follows. "[MTA]", with
square brackets, signifies an optional component.
+---------+
+---------+ +-----+ | | +-------+ +-----------+
| Sending |=...=|[MTA]|===| Content |=...=| [MTA] |===| Receiving |
| UA | +-----+ | Gateway | +-------+ | UA |
+---------+ | | +-----------+
+---------+
First Network Second Network
Figure 2 - Content Gateway Topology
The content gateway can be the last hop before the receiving MTA. The
content gateway can be between networks, and thus not the last hop
before the receiving MTA. The content gateway can be the first MTA
the sending UA contacts. Finally, the content gateway can be an
integrated component of the receiving MTA.
For the SIP case, consider each MTA as a SIP Proxy, the Sending UA as
a SIP User Agent Client, and the Receiving UA as a SIP User Agent
Server.
Burger Standards Track [Page 13]
^L
RFC 3459 Critical Content of Internet Mail January 2003
10.1. Integrated Content Gateway
In this situation, the receiving user agent is integrated with the
content gateway. The integrated content gateway knows the
capabilities of the user agent. The topology is as follows.
+---------------------+
+---------+ +-----+ | : |
| Sending |=...=|[MTA]|===| Content : Receiving |
| UA | +-----+ | Gateway : UA |
+---------+ | : |
+---------------------+
First Network Second Network
Figure 3 - Integrated Content Gateway
The processing of ISUP and QSIG objects, as described in [5], is an
example of an integrated gateway.
10.2. Disaggregated Delivery Network
A degenerate case, although one that does occur, is where the content
gateway sits behind the final MTA. This happens when one implements
the content gateway as a post-processing step to a normal delivery.
For example, one could configure a mail handling system to deliver
the message to a queue or directory, where the content gateway
process picks up the message. If there were any directives for DSN
processing, the delivering MTA would execute them. For example, the
message could have requested notification on successful delivery.
The delivering MTA, having delivered the message to the queue, would
consider the message delivered and thus notify the sender of such.
However, the content gateway process could then discover that the
receiving UA cannot render the message. In this case, the content
gateway generates a NDN, as it is the only option available.
Delivered
| +---------+
+---------+ +-----+ v | | +-----------+
| Sending |=...=| MTA |--> File -->| Content |=...=| Receiving |
| UA | +-----+ | Gateway | | UA |
+---------+ | | +-----------+
+---------+
First Network Second Network
Figure 4 - Disaggregated Delivery Network
Burger Standards Track [Page 14]
^L
RFC 3459 Critical Content of Internet Mail January 2003
11. Backward Compatibility Considerations
DSN requires ESMTP. If MTAs in the path from the sending UA to the
receiving UA do not support ESMTP, then that MTA will reject the DSN
request. In addition, the message will default to notification on
delay or failure. While not ideal, the sender will know that DSN is
not available, and that critical content that fails will get
notification.
12. MIME Interactions
12.1. multipart/alternative
As is true for all Content-Disposition parameters, handling is only
in effect for the selected alternative. If the selected alternative
has the critical content indicator, then the entire alternative takes
on the criticality indicated. That is, if the alternative selected
has HANDLING=OPTIONAL, then the content gateway MUST NOT generate any
delivery notifications.
NOTE: This statement explicitly shows that HANDLING overrides the DSN
and MDN request mechanisms.
It is unlikely for a selected alternative to fail, as the content
gateway presumably picks the alternative specifically because it can
render it.
If the selected alternative is a message/rfc822 that encloses a
multipart MIME message or the selected alternative is itself a
multipart MIME type, the individual top-level body parts follow the
HANDLING mechanism described in this document.
NOTE: This means that a forwarded message's criticality will not
affect the forwarding agent's intentions.
12.2. multipart/related
Criticality fits in rather well with the multipart/related
construction. For example, consider a multipart/related message
consisting of a Macintosh data fork and a Macintosh resource fork.
For a Microsoft Word document, the data fork is likely to be
critical. The receiving system can safely ignore the resource fork.
12.3. message/rfc822
Criticality only affects the outermost level of the message or, in
the case of multipart/alternative, the outermost level of the
selected alternative. Specifically, the receiving system ignores
Burger Standards Track [Page 15]
^L
RFC 3459 Critical Content of Internet Mail January 2003
criticality indicators in embedded body parts. This avoids the
situation of a forwarded message triggering or suppressing undesired
reporting. This simply implements the procedures described in [6].
12.4. multipart/signed
See Section 6.
12.5. multipart/encrypted
See Section 7.
13. Implementation Examples
This section is an informative part of the definition of Criticality.
We hope it helps implementers understand the mechanics of the
Handling mechanism.
We will examine two cases. They are how a content gateway processes
a message and how a disaggregated content gateway processes a
message.
13.1. Content Gateways
Content gateways examine the contents of a message from a first
network before the gateway forwards the message to a second network.
For the purposes of this example, we assume the second network has
less capability than the first network. In particular, we expect
there will be certain message body types that the gateway cannot pass
onto the second network.
Consider a gateway between the Internet and a text-only short message
service. A message comes through the gateway containing a text part
and a tnef part. The sender marks the text part REQUIRED. The
gateway, knowing the capability of the short message service,
silently deletes the non-critical, tnef part, passing the critical
content to the short message service network. Any subsequent
notifications, such as failure notices or delivery notices, follow
the normal rules for notification.
Note the gateway, by silently deleting non-critical content, may
affect proprietary message correlation schemes. One can envision the
sending UA inserting a body part for tracking purposes. By deleting
non-critical content, the content gateway will break such a scheme.
If a sending UA understands how to mark critical content, it should
use Internet standard mechanisms for tracking messages, such as
Message-ID [19].
Burger Standards Track [Page 16]
^L
RFC 3459 Critical Content of Internet Mail January 2003
What if no body parts have critical content indicators? In this
case, the entire message is critical. Thus, when the gateway sees
the tnef part, it will reject the entire message, generating a DSN
with a status code 5.6.1, "Media not supported".
Likewise, consider a three part message with a text annotation (part
1) to a voice message (part 2) with a vCard [20] (part 3). The sender
marks the first two parts REQUIRED. Now, let us assume the receiving
MTA (gateway) is a voice mail only system, without even the
capability to store text. In this case, the gateway, acting as the
receiving MTA, will reject the message, generating a DSN with the
status code 5.6.1, "Media not supported".
13.2. Disaggregated Content Gateway
For this example, we will examine the processing of a three-part
message. The first part is a text annotation of the second part, an
audio message. The third part is the sender's vCard. The sender
marks the first and second parts REQUIRED. In addition, the sender
marks the message for read receipt.
For the purposes of example, the telephone user interface (TUI) does
not perform text-to-speech conversion. A TUI is a mail user agent
(UA) that uses DTMF touch-tone digits for input and audio for output
(display).
The TUI is unable to render the first part of the message, the text
part. In addition, it is unable to render the third part of the
message, the vCard part. Since the sender did not mark the third
part of the message REQUIRED, the system ignores the failure of the
TUI to render the third part of the message. However, since the
sender did mark the first part REQUIRED, and the TUI is unable to
render text, the message fails.
What happens next is implementation dependent. If the TUI is part of
a unified messaging system, a reasonable action is to hold the
message for the user. The user can access the message at a later
time from a terminal that can render all of the critical body parts.
It would be reasonable for the TUI to notify the user about the
undeliverable body part.
If the TUI is part of a voice messaging system, or if the user does
not subscribe to a text-to-speech service, a reasonable action is for
the TUI to return a MDN with the disposition "failed" and the failure
modifier "5.6.1 (Media not supported)".
Burger Standards Track [Page 17]
^L
RFC 3459 Critical Content of Internet Mail January 2003
14. OPES Considerations
Critical Content processing is not a web service. However, some in
the Internet community may draw parallels between web services that
modify content and an e-mail, SIP, or other MIME-transport service
that modifies content.
This section will analyze the Critical Content protocol machinery
against the requirements stated in RFC 3238 [4]. The summary is that
the protocol described in this document meets all of the requirements
of RFC 3238.
14.1. Consideration (2.1): One-Party Consent
This is the heart of Critical Content. Critical Content enables the
sending party to give consent to have the message modified. Gateways
that conform to this document will ensure that gateways only modify
messages that the sending party has given consent to modify.
14.2. Consideration (2.2): IP-layer Communications
The content gateway is an addressable IP-entity. Moreover, all of
the relevant protocols (SMTP, SIP, HTTP, etc.) all explicitly make
the presence of the gateway known to the endpoints.
14.3. Consideration (3.1): Notification - Sender
Again, this is the point of this document. The sender explicitly
gets notification if the gateway would remove a Critical Content body
part.
14.4. Consideration (3.2): Notification - Receiver
The nature of the receiving system dictates that end users understand
that the messages have been changed.
14.5. Consideration (3.3): Non-Blocking
By definition, the endpoint cannot receive non-modified content, so
this requirement does not apply.
14.6. Consideration (4.1): URI Resolution
Clearly, one is sending mail (SMTP), a message (SIP), or fetching a
document (HTTP). The machinery described in this document does not
alter the content itself or the access mechanism. Thus it is
compliant with this requirement.
Burger Standards Track [Page 18]
^L
RFC 3459 Critical Content of Internet Mail January 2003
14.7. Consideration (4.2): Reference Validity
Since the protocol described in this document does not alter the
content itself, inter- and intra-document references are not altered.
However, intra-document references to removed body parts will fail.
On the other hand, the sender explicitly marked those body parts as
being disposable. Thus the sender is aware of the possibility the
parts may not arrive at the receiver.
14.8. Consideration (4.3): Architecture Extensions
Since the protocol described in this document meets Considerations
4.1 and 4.2, this requirement does not apply.
14.9. Consideration (5.1): Privacy
The privacy policy of this protocol is explicit. In particular, the
protocol honors end-to-end security.
15. Security Considerations
Sending UA's can use signatures over critical content indicators to
ensure the integrity of the indicator.
The gateway MUST honor signature processing. In particular, if the
sending UA marks the signature components REQUIRED, and the endpoint
cannot do MIME signature processing, the gateway MUST establish an
appropriate signature mechanism between the gateway and the endpoint.
In this case, the gateway must be secure, as it can become a target
point for tampering with the signed components of the message.
Receiving systems and users should not place any authentication value
on the Handling parameter.
Note that by design, and under the sending user's request, a content
gateway will silently delete unimportant body parts. Critical content
gives the sender the ability to determine the acceptable level
integrity of the delivered message. That is, the message as the
content gateway actually passes it on is, in fact, representative of
the sender's intentions.
16. IANA Considerations
RFC 3204 already registered the Handling parameter. It is collected
here only for reference and as a placeholder for use both for further
expansion in the future and as the normative reference for other
documents that need to reference the Handling parameter.
Burger Standards Track [Page 19]
^L
RFC 3459 Critical Content of Internet Mail January 2003
Per section 9 of [6], here is the IANA registration for Handling.
To: IANA@IANA.ORG Subject: Registration of new Content-Disposition
parameter
Content-Disposition parameter name: HANDLING
Allowable values for this parameter: REQUIRED OPTIONAL
Description: Marks the body part as required for delivery (REQUIRED)
or can be silently discarded (OPTIONAL). See RFC <this document> and
RFC 3204.
Per RFC 2183, the Content-Disposition parameter name is not case
sensitive. Per RFC 3459, the values of the parameter are also not
case sensitive.
17. References
17.1 Normative References
[1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[3] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, P., Sparks, R., Handley, M. and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002.
[4] IAB, Floyd, S. and L. Daigle, "IAB Architectural and Policy
Considerations for Open Pluggable Edge Services", RFC 3238,
January 2002.
[5] Zimmerer, E., Peterson, E., Vemuri, A., Ong, L., Audet, F.,
Watson, M. and M. Zonoun, "MIME media types for ISUP and QSIG
Objects", RFC 3204, December 2001.
[6] Troost, R., Dorner, S. and K. Moore, Ed., "Communicating
Presentation Information in Internet Messages: The Content-
Disposition Header Field", RFC 2183, August 1997.
[7] Crocker, D. and P. Overell, Eds., "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
Burger Standards Track [Page 20]
^L
RFC 3459 Critical Content of Internet Mail January 2003
[8] Moore, K., "Simple Mail Transfer Protocol (SMTP) Service
Extension for Delivery Status Notifications (DSNs)", RFC 3461,
January 2003.
[9] Moore, K. and G. Vaudreuil, "An Extensible Message Format for
Delivery Status Notifications", RFC 3464, January 2003.
[10] Fajman, R., "An Extensible Message Format for Message
Disposition Notifications", RFC 2298, March 1998.
[11] Galvin, J., Murphy, S., Crocker, S. and N. Freed, "Security
Multiparts for MIME: Multipart/Signed and Multipart/Encrypted",
RFC 1847, October 1995.
[12] Freed, N., "Gateways and MIME Security Multiparts", RFC 2480,
January 1999.
[13] Vaudreuil, G., "Enhanced Mail System Status Codes", RFC 3463,
January 2003.
[14] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Bodies",
RFC 2045, November 1996.
[15] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, November
1996.
[16] Vaudreuil, G. and G. Parsons, "Voice Profile for Internet Mail -
version 2", RFC 2421, September 1998.
[17] Kille, S., "MIXER (Mime Internet X.400 Enhanced Relay): Mapping
between X.400 and RFC 822/MIME", RFC 2156, January 1998.
[18] Klensin, J., Ed., "Simple Mail Transfer Protocol", RFC 2821,
April 2001.
[19] Crocker, D., "Standard for the Format of ARPA Internet Text
Messages", RFC 822, August 1982.
17.2 Informative Reference
[20] Dawson, F. and T. Howes, "vCard MIME Directory Profile", RFC
2426, September 1998.
Burger Standards Track [Page 21]
^L
RFC 3459 Critical Content of Internet Mail January 2003
18. Acknowledgments
Emily Candell of Comverse Network Systems was instrumental in helping
work out the base issues in the -00 document in Adelaide.
Ned Freed pointed out that this mechanism was about criticality, not
notification. That insight made the concept and descriptions
infinitely more straightforward. If it's still confusing, it's my
fault!
Ned Freed also was instrumental in crafting the sections on
multipart/signed and multipart/encrypted. As AD, he provided
invaluable commentary to help progress this document.
Keith Moore for helped tighten-up the explanations, and he approved
of the use of Content-Disposition.
Dropping the IMPORTANT critical content type took away one of the
reasons for partial non-delivery notification. That makes Jutta
Degener very happy!
Harald Alvestrand and Chris Newman suggested some implementation
examples.
Greg White asked THE key question that let us realize that critical
content processing was a gateway function, and not a MTA or UA
function.
Jon Peterson cleared up how handling actually does work in the SIP
environment.
An enormous thank you to Michelle S. Cotton at IANA for helping me
craft the original IANA Considerations section in 2000, and for
catching the functional overlap with RFC 3204 in January 2002.
Any errors, omissions, or silliness are my fault.
Burger Standards Track [Page 22]
^L
RFC 3459 Critical Content of Internet Mail January 2003
19. Intellectual Property Rights Notice
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementers or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
20. Author's Address
Eric Burger
SnowShore Networks, Inc.
285 Billerica Rd.
Chelmsford, MA 01824-4120
USA
Phone: +1 978 367 8400
Fax: +1 603 457 5944
EMail: e.burger@ieee.org
Burger Standards Track [Page 23]
^L
RFC 3459 Critical Content of Internet Mail January 2003
21. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Burger Standards Track [Page 24]
^L
|
